On Fri, Apr 17, 2015 at 12:47:45PM -0400, Olafur Gudmundsson wrote:
> > My understanding is that some people wanted to experiment with TLSA
> > without having to have had DNSSEC deployed. But I take your answer
> > to be that no such behaviour is defined here, which is fine. So
> > consider this one answered.
>
> Stephen, I want to remind you of the conversations we had before and after
> the IETF meeting in
> Tapei, when this topic was going in circles.
> Conclusion of discussion: DANE REQUIRES DNSSEC <full stop>
>
> If someone wants to publish TLSA records w/o DNSSEC that can work in their
> environment but it is not
> going to be globally visible.
> This and other WG document should not be in conflict with the principle
> above.
I don't disagree, but to be fair, the original DANE discussions
were likely not about opportunistic protocols. With opportunistic
uses of DANE, one can argue that if "insecure" TLSA records are
published, one might as well use them.
Thus, for example, when address records are reported "insecure",
instead of bypassing TLSA lookups, to avoid the potential interop
issues, one could simply make "TLSA" lookup failure non-critical
and then use "insecure" TLSA records when available, without claiming
any security. Just log authentication failures, but deliver anyway.
Such a mode of operation is not specified in the draft. I don't
know whether there would be much demand/adoption of such an
"variant" of the protocol.
The present draft is a defense against active attacks, the variant
would be some sort of tamper-evidence, though it is not clear
exactly what "sort" unless the TLSA records observed are recorded,
and regularly analyzed for "anomalies".
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
